Reparsing unsuccessfully parsed event data in a security information and event management system

ABSTRACT

A mechanism is provided for reparsing unsuccessfully parsed event data. Responsive to determining that one or more unsuccessfully parsed event data items exist for a log source, each unsuccessfully parsed event data item of the one or more unsuccessfully parsed event data items is reparsing using an updated device support module associated with the log source. Responsive to the device support module successfully reparsing the unsuccessfully parsed event data item thereby forming a successfully parsed event data item, the successfully parsed event data item is added to a historical record of events associated with the log source. Responsive to the device support module failing to successfully reparse the unsuccessfully parsed event data item, the unsuccessfully parsed event data item is retained in an unsuccessfully parsed event data item data structure.

BACKGROUND

The present application relates generally to an improved data processingapparatus and method and more specifically to mechanisms for reparsingunsuccessfully parsed event data in a security information and eventmanagement (SIEM) system.

In the field of computer security, security information and eventmanagement (SIEM) software products and services combine securityinformation management (SIM) and security event management (SEM). A SIMsystem collects data into a central repository for trend analysis andprovides automated reporting for compliance and centralized reporting. ASEM system centralizes the storage and interpretation of logs and allowsnear real-time analysis that enables security personnel to takedefensive actions more quickly. By bringing these two functionstogether, SIEM systems provide quicker identification, analysis andrecovery of security events, SIEM systems also allow compliance managersto confirm that an organization's legal compliance requirements arefulfilled.

That is, a SIEM system collects logs and other security-relateddocumentation for analysis. Most SIEM systems work by deploying multiplecollection agents in a hierarchical manner to gather security-relatedevents from networked log sources such as end-user devices, servers,network equipment, and even specialized security equipment such asfirewalls, antivirus or intrusion prevention systems. The collectorsforward events to a centralized management console, which performsinspections and flags anomalies.

SUMMARY

This Summary is provided to introduce a selection of concepts in asimplified form that are further described herein in the DetailedDescription. This Summary is not intended to identify key factors oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

In one illustrative embodiment, a method, in a data processing system,is provided for reparsing unsuccessfully parsed event data. Theillustrative embodiment determines whether one or more unsuccessfullyparsed event data items exist for a log source, where an unsuccessfullyparsed event data item is an event data item where previous parsingfailed. The illustrative embodiment reparses each unsuccessfully parsedevent data item of the one or more unsuccessfully parsed event dataitems using an updated device support module associated with the logsource in response to one or more unsuccessfully parsed event data itemsexisting. The illustrative embodiment adds the successfully reparsedevent data item to a historical record of events associated with the logsource in response to the device support module successfully parsing theunsuccessfully parsed event data item thereby forming a successfullyparsed event data item. The illustrative embodiment retains theunsuccessfully parsed event data item in an unsuccessfully parsed eventdata item data structure in response to the device support modulefailing to successfully reparse the unsuccessfully parsed event dataitem.

In other illustrative embodiments, a computer program product comprisinga computer useable or readable medium having a computer readable programis provided. The computer readable program, when executed on a computingdevice, causes the computing device to perform various ones of, andcombinations of, the operations outlined above with regard to the methodillustrative embodiment.

In yet another illustrative embodiment, a system/apparatus is provided.The system/apparatus may comprise one or more processors and a memorycoupled to the one or more processors. The memory may compriseinstructions that, when executed by the one or more processors, causethe one or more processors to perform various ones of, and combinationsof, the operations outlined above with regard to the method illustrativeembodiment.

These and other features and advantages of the present invention will bedescribed in, or will become apparent to those of ordinary skill in theart in view of, the following detailed description of the exampleembodiments of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention, as well as a preferred mode of use and further objectivesand advantages thereof, will best be understood by reference to thefollowing detailed description of illustrative embodiments when read inconjunction with the accompanying drawings, wherein:

FIG. 1 is an example diagram of a distributed data processing system inwhich aspects of the illustrative embodiments may be implemented;

FIG. 2 is an example block diagram of a computing device in whichaspects of the illustrative embodiments may be implemented;

FIG. 3 depicts a functional block diagram of a reparsing mechanism thatreparses unsuccessfully parsed event data in a security information andevent management (SIEM) system in accordance with an illustrativeembodiment;

FIG. 4 depicts a flowchart of the operation performed by a securityinformation and event management (SIEM) system in parsing event data inaccordance with an illustrative embodiment; and

FIG. 5 depicts a flowchart of the operation performed by a securityinformation and event management (SIEM) system in reparsingunsuccessfully parsed event data in accordance with an illustrativeembodiment.

DETAILED DESCRIPTION

Again, a security information and event management (SIEM) systemcollects logs and other security-related documentation for analysis.That is, a SIEM system receives event data from networked log sourcessuch as end-user devices, servers, network equipment, and evenspecialized security equipment such as firewalls, antivirus or intrusionprevention systems. The event data is parsed by a respective devicesupport module (DSM) associated with the log source into a parsableformat that is stored in the SIEM system. Anytime there are changes to aversion of log source, a reported event may not be handled properly bythe associated DSM. That is, the new version of the log source may causeevent data to be unparsable by the associated DSM and thus, the eventdata remains unparsed and is stored as unknown event data in the SIEMsystem. When event data is unsuccessfully parsed, consumers currentlyhave to open a support ticket requiring a new version of the DSM beissued.

The problem with this approach is that, for the time required to updatethe version of the DSM, event data being logged is not usable in theSIEM database. While this is not technically a data outage, failing toparse and properly store event data causes “gaps” in the customer'shistorical record, which may contain very important information onattacks/events that have happened on the customer's networks. Currently,in many cases, properly evaluating the unsuccessfully parsed events isvery difficult or impossible for the SIEM system. That is, while theunsuccessfully parsed event data is stored, currently, theunsuccessfully parsed event data is never reprocessed to fill in those“gaps” in the historical record.

Therefore, the illustrative embodiments provide mechanisms for reparsingunsuccessfully parsed event data in a SIEM system. The mechanismsutilize the most recent DSM associated with the device to look back overtime and attempt to reparse any unsuccessfully parsed event data usingnew rules instantiated in the DSM and then store the parsed dataappropriately in the associated historical record. This ensures thatholes in the historical record are filled over time and thus, may beviewed and/or evaluated for the potential impact to the network orsystems.

Before beginning the discussion of the various aspects of theillustrative embodiments, it should first be appreciated that throughoutthis description the term “mechanism” will be used to refer to elementsof the present invention that perform various operations, functions, andthe like. A “mechanism,” as the term is used herein, may be animplementation of the functions or aspects of the illustrativeembodiments in the form of an apparatus, a procedure, or a computerprogram product. In the case of a procedure, the procedure isimplemented by one or more devices, apparatus, computers, dataprocessing systems, or the like. In the case of a computer programproduct, the logic represented by computer code or instructions embodiedin or on the computer program product is executed by one or morehardware devices in order to implement the functionality or perform theoperations associated with the specific “mechanism.” Thus, themechanisms described herein may be implemented as specialized hardware,software executing on general-purpose hardware, software instructionsstored on a medium such that the instructions are readily executable byspecialized or general-purpose hardware, a procedure or method forexecuting the functions, or a combination of any of the above.

The present description and claims may make use of the terms “a,” “atleast one of,” and “one or more of” with regard to particular featuresand elements of the illustrative embodiments. It should be appreciatedthat these terms and phrases are intended to state that there is atleast one of the particular feature or element present in the particularillustrative embodiment, but that more than one can also be present.That is, these terms/phrases are not intended to limit the descriptionor claims to a single feature/element being present or require that aplurality of such features/elements be present. To the contrary, theseterms/phrases only require at least a single feature/element with thepossibility of a plurality of such features/elements being within thescope of the description and claims.

Moreover, it should be appreciated that the use of the term “engine,” ifused herein with regard to describing embodiments and features of theinvention, is not intended to be limiting of any particularimplementation for accomplishing and/or performing the actions, steps,processes, etc., attributable to and/or performed by the engine. Anengine may be, but is not limited to, software, hardware and/or firmwareor any combination thereof that performs the specified functionsincluding, but not limited to, any use of a general and/or specializedprocessor in combination with appropriate software loaded or stored in amachine readable memory and executed by the processor. Further, any nameassociated with a particular engine is, unless otherwise specified, forpurposes of convenience of reference and not intended to be limiting toa specific implementation. Additionally, any functionality attributed toan engine may be equally performed by multiple engines, incorporatedinto and/or combined with the functionality of another engine of thesame or different type, or distributed across one or more engines ofvarious configurations.

In addition, it should be appreciated that the following descriptionuses a plurality of various examples for various elements of theillustrative embodiments to further illustrate example implementationsof the illustrative embodiments and to aid in the understanding of themechanisms of the illustrative embodiments. These examples intended tobe non-limiting and are not exhaustive of the various possibilities forimplementing the mechanisms of the illustrative embodiments. It will beapparent to those of ordinary skill in the art in view of the presentdescription that there are many other alternative implementations forthese various elements that may be utilized in addition to, or inreplacement of, the examples provided herein without departing from thespirit and scope of the present invention.

Thus, the illustrative embodiments may be utilized in many differenttypes of data processing environments. In order to provide a context forthe description of the specific elements and functionality of theillustrative embodiments, FIGS. 1 and 2 are provided hereafter asexample environments in which aspects of the illustrative embodimentsmay be implemented. It should be appreciated that FIGS. 1 and 2 are onlyexamples and are not intended to assert or imply any limitation withregard to the environments in which aspects or embodiments of thepresent invention may be implemented. Many modifications to the depictedenvironments may be made without departing from the spirit and scope ofthe present invention.

FIG. 1 depicts a pictorial representation of an example distributed dataprocessing system in which aspects of the illustrative embodiments maybe implemented. Distributed data processing system 100 may include anetwork of computers in which aspects of the illustrative embodimentsmay be implemented. The distributed data processing system 100 containsat least one network 102, which is the medium used to providecommunication links between various devices and computers connectedtogether within distributed data processing system 100. The network 102may include connections, such as wire, wireless communication links, orfiber optic cables.

In the depicted example, server 104 and server 106 are connected tonetwork 102 along with storage unit 108. In addition, clients 110, 112,and 114 are also connected to network 102. These clients 110, 112, and114 may be, for example, personal computers, network computers, or thelike. In the depicted example, server 104 provides data, such as bootfiles, operating system images, and applications to the clients 110,112, and 114. Clients 110, 112, and 114 are clients to server 104 in thedepicted example. Distributed data processing system 100 may includeadditional servers, clients, and other devices not shown.

In the depicted example, distributed data processing system 100 is theInternet with network 102 representing a worldwide collection ofnetworks and gateways that use the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite of protocols to communicatewith one another. At the heart of the Internet is a backbone ofhigh-speed data communication lines between major nodes or hostcomputers, consisting of thousands of commercial, governmental,educational and other computer systems that route data and messages. Ofcourse, the distributed data processing system 100 may also beimplemented to include a number of different types of networks, such asfor example, an intranet, a local area network (LAN), a wide areanetwork (WAN), or the like. As stated above, FIG. 1 is intended as anexample, not as an architectural limitation for different embodiments ofthe present invention, and therefore, the particular elements shown inFIG. 1 should not be considered limiting with regard to the environmentsin which the illustrative embodiments of the present invention may beimplemented.

As shown in FIG. 1, one or more of the computing devices, e.g., server104, may be specifically configured to implement a re-parsing processfor reparsing unsuccessfully parsed event data that was previouslyattempted to be parsed in a security information and event management(SIEM) system. The configuring of the computing device may comprise theproviding of application specific hardware, firmware, or the like tofacilitate the performance of the operations and generation of theoutputs described herein with regard to the illustrative embodiments.The configuring of the computing device may also, or alternatively,comprise the providing of software applications stored in one or morestorage devices and loaded into memory of a computing device, such asserver 104, for causing one or more hardware processors of the computingdevice to execute the software applications that configure theprocessors to perform the operations and generate the outputs describedherein with regard to the illustrative embodiments. Moreover, anycombination of application specific hardware, firmware, softwareapplications executed on hardware, or the like, may be used withoutdeparting from the spirit and scope of the illustrative embodiments.

It should be appreciated that once the computing device is configured inone of these ways, the computing device becomes a specialized computingdevice specifically configured to implement the mechanisms of theillustrative embodiments and is not a general purpose computing device.Moreover, as described hereafter, the implementation of the mechanismsof the illustrative embodiments improves the functionality of thecomputing device and provides a useful and concrete result thatfacilitates a re-parsing process that reparses unsuccessfully parsedevent data in a SIEM system.

As noted above, the mechanisms of the illustrative embodiments utilizespecifically configured computing devices, or data processing systems,to perform the operations for reparsing unsuccessfully parsed event datain a SIM system. These computing devices, or data processing systems,may comprise various hardware elements that are specifically configured,either through hardware configuration, software configuration, or acombination of hardware and software configuration, to implement one ormore of the systems/subsystems described herein. FIG. 2 is a blockdiagram of just one example data processing system in which aspects ofthe illustrative embodiments may be implemented. Data processing system200 is an example of a computer, such as server 104 in FIG. 1, in whichcomputer usable code or instructions implementing the processes andaspects of the illustrative embodiments of the present invention may belocated and/or executed so as to achieve the operation, output, andexternal effects of the illustrative embodiments as described herein.

In the depicted example, data processing system 200 employs a hubarchitecture including north bridge and memory controller hub (NB/MCH)202 and south bridge and input/output (I/O) controller hub (SB/ICH) 204.Processing unit 206, main memory 208, and graphics processor 210 areconnected to NB/MCH 202. Graphics processor 210 may be connected toNB/MCH 202 through an accelerated graphics port (AGP).

In the depicted example, local area network (LAN) adapter 212 connectsto SB/ICH 204. Audio adapter 216, keyboard and mouse adapter 220, modem222, read only memory (ROM) 224, hard disk drive (HDD) 226, CD-ROM drive230, universal serial bus (USB) ports and other communication ports 232,and PCI/PCIe devices 234 connect to SB/ICH 204 through bus 238 and bus240. PCI/PCIe devices may include, for example, Ethernet adapters,add-in cards, and PC cards for notebook computers. PCI uses a card buscontroller, while PCIe does not. ROM 224 may be, for example, a flashbasic input/output system (BIOS).

HDD 226 and CD-ROM drive 230 connect, to SB/ICH 204 through bus 240. HDD226 and CD-ROM drive 230 may use, for example, an integrated driveelectronics (IDE) or serial advanced technology attachment (SATA)interface. Super I/O (SIO) device 236 may be connected to SB/ICH 204.

An operating system runs on processing unit 206. The operating systemcoordinates and provides control of various components within the dataprocessing system 200 in FIG. 2. As a client, the operating system maybe a commercially available operating system such as Microsoft® Windows7®. An object-oriented programming system, such as the Java™ programmingsystem, may run in conjunction with the operating system and providescalls to the operating system from Java™ programs or applicationsexecuting on data processing system 200.

As a server, data processing system 200 may be, for example, an IBMeServer™ System computer system, Power™ processor based computer system,or the like, running the Advanced Interactive Executive (AIX®) operatingsystem or the LINUX® operating system. Data processing system 200 may bea symmetric multiprocessor (SMP) system including a plurality ofprocessors in processing unit 206. Alternatively, a single processorsystem may be employed.

Instructions for the operating system, the object-oriented programmingsystem, and applications or programs are located on storage devices,such as HDD 226, and may be loaded into main memory 208 for execution byprocessing unit 206. The processes for illustrative embodiments of thepresent invention may be performed by processing unit 206 using computerusable program code, which may be located in a memory such as, forexample, main memory 208, ROM 224, or in one or more peripheral devices226 and 230, for example.

A bus system, such as bus 238 or bus 240 as shown in FIG. 2, may becomprised of one or more buses. Of course, the bus system may beimplemented using any type of communication fabric or architecture thatprovides for a transfer of data between different components or devicesattached to the fabric or architecture. A communication unit, such asmodem 222 or network adapter 212 of FIG. 2, may include one or moredevices used to transmit and receive data. A memory may be, for example,main memory 208, ROM 224, or a cache such as found in NB/MCH 202 in FIG.2.

As mentioned above, in some illustrative embodiments the mechanisms ofthe illustrative embodiments may be implemented as application specifichardware, firmware, or the like, application software stored in astorage device, such as HDD 226 and loaded into memory, such as mainmemory 208, for executed by one or more hardware processors, such asprocessing unit 206, or the like. As such, the computing device shown inFIG. 2 becomes specifically configured to implement the mechanisms ofthe illustrative embodiments and specifically configured to perform theoperations and generate the outputs described hereafter with regard toreparsing unsuccessfully parsed event data in a SIEM system.

Those of ordinary skill in the art will appreciate that the hardware inFIGS. 1 and 2 may vary depending on the implementation. Other internalhardware or peripheral devices, such as flash memory, equivalentnon-volatile memory, or optical disk drives and the like, may be used inaddition to or in place of the hardware depicted in FIGS. 1 and 2. Also,the processes of the illustrative embodiments may be applied to amultiprocessor data processing system, other than the SMP systemmentioned previously, without departing from the spirit and scope of thepresent invention.

Moreover, the data processing system 200 may take the form of any of anumber of different data processing systems including client computingdevices, server computing devices, a tablet computer, laptop computer,telephone or other communication device, a personal digital assistant(PDA), or the like. In some illustrative examples, data processingsystem 200 may be a portable computing device that is configured withflash memory to provide non-volatile memory for storing operating systemfiles and/or user-generated data, for example. Essentially, dataprocessing system 200 may be any known or later developed dataprocessing system without architectural limitation.

FIG. 3 depicts a functional block diagram of a reparsing mechanism thatreparses unsuccessfully parsed event data in a security information andevent management (SIEM) system in accordance with an illustrativeembodiment. Data processing system 300, which is a data processingsystem such as data processing 200 of FIG. 2, comprises SIEM system 302and a plurality of log sources 304 a-304 n. Again, SIEM system 302 is asystem that combines security information management (SIM) and securityevent management (SEM). SIEM system 302 further comprises a plurality ofdevice support modules (DSMs) 306 a-306 n. Each DSM in DSMs 306 a-306 nis a configuration mechanism that parses events from its associated logsource and converts them to a standard taxonomy format that can beutilized by the SIEM system 302. Log sources 304 a-304 n are anyexternal device, system, or cloud service that is configured to eithersend events to SIEM system 302 or be collected by SIEM system 302. Oncea log from a log source in log sources 304 a-304 n is parsed by itsassociated DSM in DSMs 306 a-306 n, the parsed data is stored in anassociated historical record of a plurality of historical records 308a-308 n within storage 310.

However, as discussed previously, anytime there are changes to a logsource, such as an update in the software version of the log source, anew event that the SIEM is not prepared to parse, or the like, areported event may not be handled properly by the associated DSM. Thatis, for example, the new version of software installed on log source 304a may cause event data from log source 304 a to be unparsable byassociated DSM 306 a and thus, the event data remains unparsed and SIEMsystem 302 stores the unsuccessfully parsed event data as associatedunknown event data in unknown events data structure 312 a in storage310. That is, for any unsuccessfully parsed event data by DSMs 306 a-306n due to changes in an associated log source 304 a-304 n, DSMs 306 a-306n have an associated unknown events data structure 312 a-312 n in whichto store the unsuccessfully parsed event data. Thus, this unsuccessfullyparsed event data presents a problem for the SEM as the unsuccessfullyparsed event data may contain important information as to what has goneon within the network at that point in time, such as an attack,unauthorized access event, or the like. When these unsuccessfully parsedevent data events are encountered, a deficiency is identified within theDSM that must be rectified. Through normal maintenance, each of DSMs 306a-306 n is updated in order to parse such unsuccessfully parsed eventdata. However, current SEM systems do not go back and reprocessunsuccessfully parsed event data.

In accordance with the illustrative embodiments, re-parsing mechanism314 within SEM system 302 monitors the DSMs 306 a-306 n associated withthe log sources 304 a-304 n to determine whether one or more of DSMs 306a-306 n has been updated using temporal update information associatedwith each DSM and the last time re-parsing mechanism 314 was executed.Response to re-parsing mechanism 314 determining that one or more ofDSMs have been updated, re-parsing mechanism 314 searches each unknownevents data structure 312 associated with each DSM of the one or moreDSMs that has been updated for one or more unsuccessfully parsed eventdata items. For each updated DSM, if re-parsing mechanism 314 identifiesone or more unsuccessfully parsed event data items in the associatedunknown events data structure, re-parsing mechanism 314 causes the DSMto reparse the one or more unsuccessfully parsed event data items. Foreach one or more unsuccessfully parsed event data items, responsive tothe DSM being able to parse the event data correctly, the re-parsingmechanism 314 in conjunction with the DSM stores the parsed data intemporal order within the associated historical record 308 and removesthe associated unsuccessfully parsed event data from the unknown eventsdata structure 312. Responsive to the DSM failing to parse the eventdata correctly, the re-parsing mechanism 314 in conjunction with the DSMleaves the unsuccessfully parsed event data in the unknown events datastructure 312. Once all the one or more unsuccessfully parsed event dataitems from the unknown events data structure 312 are reprocessed,re-parsing mechanism 314 notifies the MEM of the one or more newlyparsed event data items that have been added to the associatedhistorical record 308 so that SEM system 302 may provide a holistic viewof an organization's information technology (IT) security to thecustomer for use in further IT Security development. For anyunsuccessfully parsed event data items after the reprocessing,re-parsing mechanism 314 issues a notification to administrators so thatthe failure of the DSM may be addressed. That is, while the customer maynormally open a support ticket when event data is unsuccessfully parsed,since re-parsing mechanism 314 performs the reparsing based on updatesto the DSM, the illustrative embodiments take a proactive stance onaddressing the customer's needs when one or more unsuccessfully parsedevent data items are identified.

Thus, the illustrative embodiments provide a re-parsing mechanism 314that identifies when a DSM has been updated, triggers a process thatgoes back through time and reparses one or more unsuccessfully parsedevent data items, and closes the gap in historical data. Closing thisgap removes purported data outage and creates a more continuoushistorical record for the SIEM system and the SIEM users to work with.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firework, switches, gateway computers and/or edgeservers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Java, Smalltalk, C++ or the like,and conventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat, the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

FIG. 4 depicts a flowchart of the operation performed by a securityinformation and event management (SIEM) system in parsing event data inaccordance with an illustrative embodiment. As the operation begins, theSIEM system receives event data from a log source (step 402) such as anexternal device, system, or cloud service that is configured to eithersend events to the SIEM system or be collected by the SIEM system.Responsive to receiving the event data, an associated device supportmodule (DSM), within the SIEM system, attempts to parse the event data(step 404). If at step 404 the DSM is able to parse the data, the SIEMsystem adds the parsed data to an associated historical record intemporal form (step 406) so as to provide an accurate historical recordof the events experienced by the log source, with the operation endingthereafter. If at step 404 the DSM is unable to parse the data, the SIEMsystem adds the unsuccessfully parsed event data to an unknown eventsdata structure (step 408), with the operation ending thereafter.

FIG. 5 depicts a flowchart of the operation performed by a securityinformation and event management (SIEM) system in reparsingunsuccessfully parsed event data in accordance with an illustrativeembodiment. It should be noted that the operation described in FIG. 5could be performed in conjunction with the operation described in FIG. 4or as a standalone operation. As the operation begins, a re-parsingmechanism within the SIEM system monitors a plurality of device supportmodules (DSMs) associated with a plurality of log sources to determinewhether one or more of the DSMs has been updated (step 502) usingtemporal update information associated with each DSM and the last timethe re-parsing mechanism was executed. If at step 502 the re-parsingmechanism determines that none of the DSMs has been updated, then theoperation terminates. However, if at step 502 the re-parsing mechanismdetermines that one or more of the DSMs has been updated, then there-parsing mechanism searches each unknown events data structureassociated with each DSM of the one or more DSMs that has been updatedfor one or more unsuccessfully parsed event data items (step 504). Foreach updated DSM, if at step 504 the re-parsing mechanism fails toidentify one or more unsuccessfully parsed event data items in theassociated unknown events data structure, the operation proceeds to step520 described below. For each updated DSM, if at step 504 the re-parsingmechanism identities one or more unsuccessfully parsed event data itemsin the associated unknown events data structure, the re-parsingmechanism causes the DSM to reparse the one or more unsuccessfullyparsed event data items one by one (step 506).

For each one or more unsuccessfully parsed event data items, if at step506 the DSM is able to successfully parse the event data correctly, there-parsing mechanism in conjunction with the DSM adds the parsed data intemporal order to the associated historical record (step 508) andremoves the associated unsuccessfully parsed event data from the unknownevent data structure (step 510). For each one or more unsuccessfullyparsed event data items, if at step 506 the DSM is unable tosuccessfully parse the event data correctly, the re-parsing mechanism inconjunction with the DSM leaves the unsuccessfully parsed event data inthe unknown events data structure (step 512). From steps 510 and 512,the re-parsing mechanism then determines whether there is anotherunsuccessfully parsed event data item to process (step 514). If at step514 there is another unsuccessfully parsed event data item to process,the operation returns to step 506. If at step 514 there are no moreunsuccessfully parsed event data items for that DSM, the re-parsingmechanism notifies the SIEM of the one or more newly parsed event dataitems that have been added to the associated historical record (step516) so that SIEM system may provide a holistic view of anorganization's information technology (IT) security to the customer foruse in further IT Security development. For any unsuccessfully parsedevent data items after the reprocessing, the re-parsing mechanism issuesa notification to administrators so that the failure of the DSM may beaddressed (step 518).

From step 518 or if at step 504 the re-parsing mechanism fails toidentify one or more unsuccessfully parsed event data items in theassociated unknown events data structure, the re-parsing mechanismdetermines whether there is another updated DSM in the identified one ormore DSMs that has been updated (step 520). If at step 520 there isanother updated DSM, then the operation returns to step 504. If at step520 there is not another updated DSM, then the operation terminates.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

Thus, the illustrative embodiments provide mechanisms for reparsingunsuccessfully parsed event data in a SIEM system. The mechanismsutilize the most recent DSM associated with the device to look back overtime and attempt to reparse any unsuccessfully parsed event data usingnew rules instantiated in the DSM and then store the parsed dataappropriately in the associated historical record. This ensures thatgaps in the historical record are filled over time and thus, may beviewed and/or evaluated for the potential impact to the network orsystems. Closing this gap removes purported data outage and creates amore continuous historical record for the SIEM system and the SIEM usersto work with. Further, while the customer may normally open a supportticket when event data is unsuccessfully parsed, since the re-parsingmechanism performs the reparsing based on updates to the DSM, theillustrative embodiments take a proactive stance on addressing thecustomer's needs when one or more unsuccessfully parsed event data itemsare identified.

As noted above, it should be appreciated that the illustrativeembodiments may take the form of an entirely hardware embodiment, anentirely software embodiment or an embodiment containing both hardwareand software elements. In one example embodiment, the mechanisms of theillustrative embodiments are implemented in software or program code,which includes but is not limited to firmware, resident software,microcode, etc.

A data processing system suitable for storing and/or executing programcode will include at least one processor coupled directly or indirectlyto memory elements through a system bus. The memory elements can includelocal memory employed during actual execution of the program code, bulkstorage, and cache memories which provide temporary storage of at leastsome program code in order to reduce the number of times code must beretrieved from bulk storage during execution.

Input/output or I/O devices (including but not limited to keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening I/O controllers. Network adapters mayalso be coupled to the system to enable the data processing system tobecome coupled to other data processing systems or remote printers orstorage devices through intervening private or public networks. Modems,cable modems and Ethernet cards are just a few of the currentlyavailable types of network adapters.

The description of the present invention has been presented for purposesof illustration and description, and is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the describedembodiments. The embodiment was chosen and described in order to bestexplain the principles of the invention, the practical application, andto enable others of ordinary skill in the art to understand theinvention for various embodiments with various modifications as aresuited to the particular use contemplated. The terminology used hereinwas chosen to best explain the principles of the embodiments, thepractical application or technical improvement over technologies foundin the marketplace, or to enable others of ordinary skill in the art tounderstand the embodiments disclosed herein.

What is claimed is:
 1. A method, in a data processing system comprisinga processor and a memory coupled to the processor, for reparsingunsuccessfully parsed event data, the method comprising: determining, bythe processor, whether one or more unsuccessfully parsed event dataitems exist for a log source, wherein an unsuccessfully parsed eventdata item is an event data item where previous parsing failed, whereinthe determining whether the one or more unsuccessfully parsed event dataitems exist for the log source is performed based on the device supportmodule associated with the log source being updated; responsive to oneor more unsuccessfully parsed event data items existing, reparsing, bythe processor, each unsuccessfully parsed event data item of the one ormore unsuccessfully parsed event data items using an updated devicesupport module associated with the log source; and responsive to thedevice support module failing to successfully reparse the unsuccessfullyparsed event data item, retaining, by the processor, the unsuccessfullyparsed event data item in an unsuccessfully parsed event data item datastructure.
 2. The method of claim 1, wherein the successfully parsedevent data item is added to the historical record of events associatedwith the log source in temporal order.
 3. The method of claim 1, whereinadding the successfully parsed event data item to the historical recordof events associated with the log source further comprises: providing,by the processor, a holistic view of an organization's informationtechnology (IT) security to the customer for use in further IT securitydevelopment using the historical record of events.
 4. The method ofclaim 1, wherein retaining the unsuccessfully parsed event data item inan unsuccessfully parsed event data item data structure furthercomprises: issuing, by the processor, a notification to an administratorso that the failure of the device support module is addressed.
 5. Themethod of claim 1, wherein the data processing system is a securityinformation and event management (SIEM) system.
 6. The method of claim1, wherein the reparsing each unsuccessfully parsed event data isperformed in conjunction with parsing new unparsed event data.
 7. Themethod of claim 1, further comprising: responsive to the device supportmodule successfully reparsing the unsuccessfully parsed event data itemthereby forming a successfully parsed event data item, adding, by theprocessor, the successfully parsed event data item to a historicalrecord of events associated with the log source.
 8. A computer programproduct comprising a computer readable storage medium having a computerreadable program stored therein, wherein the computer readable program,when executed on a computing device, causes the computing device to:determine whether one or more unsuccessfully parsed event data itemsexist for a log source, wherein an unsuccessfully parsed event data itemis an event data item where previous parsing failed, wherein thecomputer readable program causing the computing device to determinewhether the one or more unsuccessfully parsed event data items exist forthe log source is performed based on the device support moduleassociated with the log source being updated; responsive to one or moreunsuccessfully parsed event data items existing, reparse eachunsuccessfully parsed event data item of the one or more unsuccessfullyparsed event data items using an updated device support moduleassociated with the log source; and responsive to the device supportmodule failing to successfully reparse the unsuccessfully parsed eventdata item, retain the unsuccessfully parsed event data item in anunsuccessfully parsed event data item data structure.
 9. The computerprogram product of claim 8, wherein the successfully parsed event dataitem is added to the historical record of events associated with the logsource in temporal order.
 10. The computer program product of claim 8,wherein the computer readable program to add the successfully parsedevent data item to the historical record of events associated with thelog source further causes the computing device to: provide a holisticview of an organization's information technology (IT) security to thecustomer for use in further IT security development using the historicalrecord of events.
 11. The computer program product of claim 8, whereinthe computer readable program to retain the unsuccessfully parsed eventdata item in an unsuccessfully parsed event data item data structurefurther causes the computing device to: issue a notification to anadministrator so that the failure of the device support module isaddressed.
 12. The computer program product of claim 8, wherein thecomputer readable program causing the computing device to reparse eachunsuccessfully parsed event data is performed in conjunction withparsing new unparsed event data.
 13. The computer program product ofclaim 8, wherein the computer readable program further causes thecomputing device to: responsive to the device support modulesuccessfully reparsing the unsuccessfully parsed event data item therebyforming a successfully parsed event data item, add the successfullyparsed event data item to a historical record of events associated withthe log source.
 14. A system comprising: a processor, and a memorycoupled to the processor, wherein the memory comprises instructionswhich, when executed by the processor, cause the processor to: determinewhether one or more unsuccessfully parsed event data items exist for alog source, wherein an unsuccessfully parsed event data item is an eventdata item where previous parsing failed, wherein the instructionscausing the processor to determine whether the one or moreunsuccessfully parsed event data items exist for the log source isperformed based on the device support module associated with the logsource being updated; responsive to one or more unsuccessfully parsedevent data items existing, reparse each unsuccessfully parsed event dataitem of the one or more unsuccessfully parsed event data items using anupdated device support module associated with the log source; andresponsive to the device support module failing to successfully reparsethe unsuccessfully parsed event data item, retain the unsuccessfullyparsed event data item in an unsuccessfully parsed event data item datastructure.
 15. The system of claim 14, wherein the successfully parsedevent data item is added to the historical record of events associatedwith the log source in temporal order.
 16. The system of claim 14,wherein the instructions to add the successfully parsed event data itemto the historical record of events associated with the log sourcefurther cause the processor to: provide a holistic view of anorganization's information technology (IT) security to the customer foruse in further IT security development using the historical record ofevents.
 17. The system of claim 14, wherein the instructions to retainthe unsuccessfully parsed event data item in an unsuccessfully parsedevent data item data structure further cause the processor to: issue anotification to an administrator so that the failure of the devicesupport module is addressed.
 18. The system of claim 14, wherein thesystem is a security information and event management (SIEM) system. 19.The system of claim 14, wherein the instructions causing the processorto reparse each unsuccessfully parsed event data is performed inconjunction with parsing new unparsed event data.
 20. The system ofclaim 14, wherein the instructions further cause the processor to:responsive to the device support module successfully reparsing theunsuccessfully parsed event data item thereby forming a successfullyparsed event data item, add the successfully parsed event data item to ahistorical record of events associated with the log source.